Protecting Critical Infrastructure

Background

Critical infrastructure protection (CIP) consists of measures to safeguard interdependent systems, networks, and assets that form the backbone of services essential to society. Examples of vital physical infrastructure include roads, bridges, airports, communication facilities, and power plants. Information-based infrastructure enables all others and is characterized by computers and networks, especially supervisory control and data acquisition (SCADA) systems, which operate on an interconnected basis to enable information exchange and analysis across critical functions. These include banking, electrical power generation and distribution, medical services, government emergency services, and air and surface transportation.

As the critical information infrastructure of most nations is largely owned and operated by the private sector, we need a dynamic set of solutions, reflecting the fact that emerging threats, and the technology needed to deter them, often change faster than the regulatory process can keep up. The rapid and continuing changes inherent in the internet, combined with its global reach, demand flexible solutions that can be quickly adapted to new and evolving circumstances.

Importance to McAfee

The destruction or incapacitation of physical and/or information-based infrastructures from natural disasters, cyberattacks, or other means could cause great harm to citizens, companies, and governments. The challenge of protecting critical information systems and networks is global. Today’s information infrastructure fundamentally depends upon worldwide connectivity and interoperability. It is therefore essential to approach the challenge of protecting global critical information infrastructure by adopting effective international strategies and solutions.

At McAfee, we are dedicated to making the connected world more secure. We believe that no one person, product, or organization can fight cyber adversaries alone, particularly critical infrastructure organizations that are being attacked daily by nation states and global criminal syndicates. To date, McAfee has built a strong business in key critical infrastructure sectors, including healthcare, government, and finance. We are also making progress in other critical sectors such as communications and energy. As part of our dedication to serving the interests of our customers, we take an active interest in, and seek to influence, the public policy environments in which our customers and prospects operate as part of a larger, win-win strategy.

Policy recommendations

Maintain a voluntary approach

National governments have a legitimate interest in securing critical infrastructure, which is largely owned by the private sector. As such, McAfee believes the private sector should take the lead role in protecting it. Government should allow industry to continue to innovate voluntarily in critical infrastructure protection. Regulations and mandates will be counterproductive to the goal of ensuring the protection of our critical infrastructure.

If regulations were to force manufacturers to guard against today’s threats, tomorrow’s might very well slip through the cracks.

If government were to impose technology mandates, the result would likely be mere compliance rather than true security. Regulating in an area like cybersecurity is very tricky, and the unintended consequences could outweigh any benefits of the regulation.

Approaches such as the voluntary public-private partnership that produced the NIST Framework are far better than hard regulations. The NIST approach succeeded because policymakers and the private sector defined a real need: improving the security of critical infrastructures. With the process being open, NIST listened to the private sector and built trust with key stakeholders, resulting in a flexible framework based on voluntary collaboration, not rigid regulations. Collaboration enables integrated and validated industrial process solutions that can be more rapidly deployed, without sacrificing safety or reliability. Policymakers should keep in mind the success of the NIST Framework as a positive way to get to their desired outcome.

Incentivize security by design

Policymakers should incentivize security by design for any new CI installations. Introducing security early in the development process—building it into infrastructure from the ground up—is a proactive approach that is far preferable to patching, updating, and modifying systems for security after the fact.

Adding or “bolting on” security features to a system, network, or device after it’s already up and running has inherent weaknesses and inefficiencies—not the least of which is having to take the system offline while it’s being updated, an impractical requirement for the energy grid.

Manufacturers should consider security early in the design process for any networkable device and include mechanisms to securely upgrade and patch products after initial production.

Incentivize further investments in cybersecurity capabilities

As a front-line organization on cybersecurity, we know how hard-pressed our customers are to make all the investments they need to make their organizations run well. Often investments in cybersecurity can take a back seat to investments in new products, sales, or marketing. Given the national interest in protecting critical infrastructure systems owned and operated by the private sector, it makes sense for policymakers to implement additional incentives, like those below, to help these organizations improve their cybersecurity capabilities:

Insurance reforms: Government could enhance the insurance market by providing it with a backstop program. To that end, Congress should consider extending the reach of the Terrorism Reinsurance Program Reauthorization Act (TRIPRA) to include cyberattacks.

Incentives to overcome the information sharing free rider challenge: We need to recognize the disincentive that threat intelligence’s “free rider” problem has imposed on public and private sector information sharing. Every organization benefits from consuming threat intelligence but gains no direct value from providing it unless the right organizational structure and incentives are put in place to eliminate the free rider problem.

Declassification of more threat data: Governments need to improve the quality and the quantity of the threat data they share with the private sector to address this issue of the free rider. Governments should thus declassify larger categories of threat data and actively share them with the private sector. Governments should issue many more security clearances to qualified company representatives to enable access to the most sensitive, and potentially most valuable, pieces or classes of threat data.